forked from TrueCloudLab/distribution
Registry - make minimum TLS version user configurable
Signed-off-by: J. Gregory Rebholz <gregrebholz@gmail.com>
This commit is contained in:
parent
91b0f0559e
commit
cdb62b2b77
4 changed files with 26 additions and 3 deletions
|
@ -108,6 +108,9 @@ type Configuration struct {
|
||||||
// A file may contain multiple CA certificates encoded as PEM
|
// A file may contain multiple CA certificates encoded as PEM
|
||||||
ClientCAs []string `yaml:"clientcas,omitempty"`
|
ClientCAs []string `yaml:"clientcas,omitempty"`
|
||||||
|
|
||||||
|
// Specifies the lowest TLS version allowed
|
||||||
|
MinimumTLS string `yaml:"minimumtls,omitempty"`
|
||||||
|
|
||||||
// LetsEncrypt is used to configuration setting up TLS through
|
// LetsEncrypt is used to configuration setting up TLS through
|
||||||
// Let's Encrypt instead of manually specifying certificate and
|
// Let's Encrypt instead of manually specifying certificate and
|
||||||
// key. If a TLS certificate is specified, the Let's Encrypt
|
// key. If a TLS certificate is specified, the Let's Encrypt
|
||||||
|
|
|
@ -83,6 +83,7 @@ var configStruct = Configuration{
|
||||||
Certificate string `yaml:"certificate,omitempty"`
|
Certificate string `yaml:"certificate,omitempty"`
|
||||||
Key string `yaml:"key,omitempty"`
|
Key string `yaml:"key,omitempty"`
|
||||||
ClientCAs []string `yaml:"clientcas,omitempty"`
|
ClientCAs []string `yaml:"clientcas,omitempty"`
|
||||||
|
MinimumTLS string `yaml:"minimumtls,omitempty"`
|
||||||
LetsEncrypt struct {
|
LetsEncrypt struct {
|
||||||
CacheFile string `yaml:"cachefile,omitempty"`
|
CacheFile string `yaml:"cachefile,omitempty"`
|
||||||
Email string `yaml:"email,omitempty"`
|
Email string `yaml:"email,omitempty"`
|
||||||
|
@ -105,6 +106,7 @@ var configStruct = Configuration{
|
||||||
Certificate string `yaml:"certificate,omitempty"`
|
Certificate string `yaml:"certificate,omitempty"`
|
||||||
Key string `yaml:"key,omitempty"`
|
Key string `yaml:"key,omitempty"`
|
||||||
ClientCAs []string `yaml:"clientcas,omitempty"`
|
ClientCAs []string `yaml:"clientcas,omitempty"`
|
||||||
|
MinimumTLS string `yaml:"minimumtls,omitempty"`
|
||||||
LetsEncrypt struct {
|
LetsEncrypt struct {
|
||||||
CacheFile string `yaml:"cachefile,omitempty"`
|
CacheFile string `yaml:"cachefile,omitempty"`
|
||||||
Email string `yaml:"email,omitempty"`
|
Email string `yaml:"email,omitempty"`
|
||||||
|
|
|
@ -777,6 +777,7 @@ http:
|
||||||
clientcas:
|
clientcas:
|
||||||
- /path/to/ca.pem
|
- /path/to/ca.pem
|
||||||
- /path/to/another/ca.pem
|
- /path/to/another/ca.pem
|
||||||
|
minimumtls: tls1.0
|
||||||
letsencrypt:
|
letsencrypt:
|
||||||
cachefile: /path/to/cache-file
|
cachefile: /path/to/cache-file
|
||||||
email: emailused@letsencrypt.com
|
email: emailused@letsencrypt.com
|
||||||
|
@ -813,8 +814,9 @@ and proxy connections to the registry server.
|
||||||
| Parameter | Required | Description |
|
| Parameter | Required | Description |
|
||||||
|-----------|----------|-------------------------------------------------------|
|
|-----------|----------|-------------------------------------------------------|
|
||||||
| `certificate` | yes | Absolute path to the x509 certificate file. |
|
| `certificate` | yes | Absolute path to the x509 certificate file. |
|
||||||
| `key` | yes | Absolute path to the x509 private key file. |
|
| `key` | yes | Absolute path to the x509 private key file. |
|
||||||
| `clientcas` | no | An array of absolute paths to x509 CA files. |
|
| `clientcas` | no | An array of absolute paths to x509 CA files. |
|
||||||
|
| `minimumtls` | no | Minimum TLS version allowed (tls1.0, tls1.1, tls1.2). Defaults to tls1.0 |
|
||||||
|
|
||||||
### `letsencrypt`
|
### `letsencrypt`
|
||||||
|
|
||||||
|
|
|
@ -135,10 +135,26 @@ func (registry *Registry) ListenAndServe() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.HTTP.TLS.Certificate != "" || config.HTTP.TLS.LetsEncrypt.CacheFile != "" {
|
if config.HTTP.TLS.Certificate != "" || config.HTTP.TLS.LetsEncrypt.CacheFile != "" {
|
||||||
|
var tlsMinVersion uint16
|
||||||
|
if config.HTTP.TLS.MinimumTLS == "" {
|
||||||
|
tlsMinVersion = tls.VersionTLS10
|
||||||
|
} else {
|
||||||
|
switch config.HTTP.TLS.MinimumTLS {
|
||||||
|
case "tls1.0":
|
||||||
|
tlsMinVersion = tls.VersionTLS10
|
||||||
|
case "tls1.1":
|
||||||
|
tlsMinVersion = tls.VersionTLS11
|
||||||
|
case "tls1.2":
|
||||||
|
tlsMinVersion = tls.VersionTLS12
|
||||||
|
default:
|
||||||
|
return fmt.Errorf("unknown minimum TLS level '%s' specified for http.tls.minimumtls", config.HTTP.TLS.MinimumTLS)
|
||||||
|
}
|
||||||
|
dcontext.GetLogger(registry.app).Infof("restricting TLS to %s or higher", config.HTTP.TLS.MinimumTLS)
|
||||||
|
}
|
||||||
tlsConf := &tls.Config{
|
tlsConf := &tls.Config{
|
||||||
ClientAuth: tls.NoClientCert,
|
ClientAuth: tls.NoClientCert,
|
||||||
NextProtos: nextProtos(config),
|
NextProtos: nextProtos(config),
|
||||||
MinVersion: tls.VersionTLS10,
|
MinVersion: tlsMinVersion,
|
||||||
PreferServerCipherSuites: true,
|
PreferServerCipherSuites: true,
|
||||||
CipherSuites: []uint16{
|
CipherSuites: []uint16{
|
||||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
|
Loading…
Reference in a new issue